Get started
Language / Region
© 2022 Yandex.Cloud LLC
Yandex Resource Manager

Setting up cloud access rights

Written by

To grant a user access to all the cloud resources, assign the user a role for this cloud.

Assign a role for the cloud

  1. Open the Users and roles page for the selected cloud. If necessary, switch to another cloud.

    1. Select a user to assign a role to.
    2. Click .
    3. Select Configure access.
  3. In the section, click Roles for the cloud .
  4. Select a role from the list.

  1. See the description of the command to assign a role for a cloud:

    yc resource-manager cloud add-access-binding --help

  2. Get a list of available clouds:

    yc resource-manager cloud list

    Result:

    +----------------------+----------+
|          ID          |   NAME   |
+----------------------+----------+
| b1gg8sgd16g7qca5onqs | my-cloud |
+----------------------+----------+

  3. Get a list of available roles:

    yc iam role list

    Result:

    +--------------------------------+-------------+
|               ID               | DESCRIPTION |
+--------------------------------+-------------+
| admin                          |             |
| compute.images.user            |             |
| editor                         |             |
| ...                            |             |
+--------------------------------+-------------+

  4. Find out the user's ID from the login or email address. To assign a role to a service account or system group instead of a user, see the examples below.

    yc iam user-account get test-user

    Result:

    id: gfei8n54hmfhuk5nogse
yandex_passport_user_account:
    login: test-user
    default_email: test-user@yandex.ru

  5. Assign the editor role for the my-cloud cloud to a user named test-user. In the subject, specify the userAccount type and user ID:

    yc resource-manager cloud add-access-binding my-cloud \
  --role editor \
  --subject userAccount:<user ID>

Use the updateAccessBindings method for the Cloud resource. You will need the cloud ID and the ID of the user who is assigned the role for the cloud.

  1. Find out the cloud ID using the list:

    curl -H "Authorization: Bearer <IAM-TOKEN>" \
    https://resource-manager.api.cloud.yandex.net/resource-manager/v1/clouds

    Result:

    {
 "clouds": [
  {
   "id": "b1gg8sgd16g7qca5onqs",
   "createdAt": "2018-09-23T12:14:45Z",
   "name": "cloud-b1gg8sgd16g7qc"
  }
 ]
}

  2. Find out the user ID from the login using the getByLogin method:

    curl -H "Authorization: Bearer <IAM-TOKEN>" \
    https://iam.api.cloud.yandex.net/iam/v1/yandexPassportUserAccounts:byLogin?login=test-user

    Result:

    {
 "id": "gfei8n54hmfhuk5nogse",
 "yandexPassportUserAccount": {
  "login": "test-user",
  "defaultEmail": "test-user@yandex.ru"
 }
}

  3. Assign the user the editor role for the my-cloud cloud. Set the action property to ADD and specify the userAccount type and user ID in the subject property:

    curl -X POST \
    -H 'Content-Type: application/json' \
    -H "Authorization: Bearer <IAM-TOKEN>" \
    -d '{
    "accessBindingDeltas": [{
        "action": "ADD",
        "accessBinding": {
            "roleId": "editor",
            "subject": {
                "id": "<user ID>",
                "type": "userAccount"
    }}}]}' \
    https://resource-manager.api.cloud.yandex.net/resource-manager/v1/clouds/b1gg8sgd16g7qca5onqs:updateAccessBindings

If you don't have Terraform, install it and configure the Yandex Cloud provider.

  1. Describe the properties of the cloud access rights in a configuration file:

    • cloud_id: cloud ID. You can get a list of available clouds using the CLI command: yc resource-manager cloud list.
    • role: Role to assign. You can get a list of roles using the CLI command: yc iam role list. In one yandex_resourcemanager_cloud_iam_binding resource, you can assign only one role.
    • members section: List of users to assign the role to. Each entry may have one of the following values: 
    data "yandex_resourcemanager_cloud" "project1" {
  name = "Project 1"
}

resource "yandex_resourcemanager_cloud_iam_binding" "editor" {
  cloud_id = "${data.yandex_resourcemanager_cloud.project1.id}"
  role = "editor"
  members = [
    "userAccount:<user ID>",
  ]
}

    For more detailed information on the parameters of the yandex_resourcemanager_cloud_iam_binding resource in Terraform, see the provider documentation.

  2. In the command line, go to the directory where you created the configuration file.

  3. Make sure the configuration file is correct using the command:

    terraform validate

    If the configuration is correct, the following message is returned:

    Success! The configuration is valid.

  4. Run the command:

    terraform plan

    The terminal displays a list of resources to be created and their parameters. No changes are made at this step. If there are errors in the configuration, Terraform points them out.

  5. Apply the configuration changes:

    terraform apply

  6. Confirm the changes: type yes in the terminal and press Enter.

    After that access rights are granted for the cloud.

Examples

Assign multiple roles

The add-access-binding command allows you to add only one role. You can assign multiple roles using the set-access-binding command.

Alert

The set-access-binding command completely rewrites the access rights to the resource. All current resource roles will be deleted.

  1. Make sure the resource doesn't have any roles that you don't want to lose:

    yc resource-manager cloud list-access-binding my-cloud

  2. For example, assign a role to multiple users:

    yc resource-manager cloud set-access-bindings my-cloud \
  --access-binding role=editor,subject=userAccount:<first user ID>
  --access-binding role=viewer,subject=userAccount:<second user ID>

Assign the editor role to one user and the viewer role to another user:

curl -X POST \
    -H 'Content-Type: application/json' \
    -H "Authorization: Bearer <IAM-TOKEN>" \
    -d '{
    "accessBindingDeltas": [{
        "action": "ADD",
        "accessBinding": {
            "roleId": "editor",
            "subject": {
                "id": "<first user ID>",
                "type": "userAccount"
            }
        }
    },{
        "action": "ADD",
        "accessBinding": {
            "roleId": "viewer",
            "subject": {
                "id": "<second user ID>",
                "type": "userAccount"
    }}}]}' \
    https://resource-manager.api.cloud.yandex.net/resource-manager/v1/clouds/b1gg8sgd16g7qca5onqs:updateAccessBindings

You can also assign roles using the setAccessBindings.

Alert

The setAccessBindings method completely rewrites the access rights to the resource! All current resource roles will be deleted.

curl -X POST \
    -H 'Content-Type: application/json' \
    -H "Authorization: Bearer <IAM-TOKEN>" \
    -d '{
    "accessBindings": [{
        "roleId": "editor",
        "subject": { "id": "<first user ID>", "type": "userAccount" }
    },{
        "roleId": "viewer",
        "subject": { "id": "<second user ID>", "type": "userAccount" }
    }]}' \
    https://resource-manager.api.cloud.yandex.net/resource-manager/v1/clouds/b1gg8sgd16g7qca5onqs:setAccessBindings

  1. Describe the properties of the cloud access rights in a configuration file. Assign the editor role to one user and the viewer role to another user:

    data "yandex_resourcemanager_cloud" "project1" {
  name = "Project 1"
}

resource "yandex_resourcemanager_cloud_iam_binding" "editor" {
  cloud_id = "${data.yandex_resourcemanager_cloud.project1.id}"
  role = "editor"
  members = [
    "userAccount:<first user ID>",
  ]
}

resource "yandex_resourcemanager_cloud_iam_binding" "viewer" {
  cloud_id = "${data.yandex_resourcemanager_cloud.project1.id}"
  role = "viewer"
  members = [
    "userAccount:<second user ID>",
  ]
}

  2. In the command line, go to the directory where you created the configuration file.

  3. Make sure the configuration file is correct using the command:

    terraform validate

    If the configuration is correct, the following message is returned:

    Success! The configuration is valid.

  4. Run the command:

    terraform plan

    The terminal displays a list of resources to be created and their parameters. No changes are made at this step. If there are errors in the configuration, Terraform points them out.

  5. Apply the configuration changes:

    terraform apply

  6. Confirm the changes: type yes in the terminal and press Enter.

    After that access rights are granted for the cloud.

Cloud access for service accounts

A service account can only be assigned roles for the cloud that it belongs to.

Allow the test-sa service account to manage the my-cloud cloud and its resources:

  1. Find out the ID of the test-sa service account that you want to assign the role to. To do this, get a list of available service accounts:

    yc iam service-account list

    Result:

    +----------------------+----------+------------------+
|          ID          |   NAME   |   DESCRIPTION    |
+----------------------+----------+------------------+
| ajebqtreob2dpblin8pe | test-sa  | test-description |
+----------------------+----------+------------------+

  2. Assign the editor role to the test-sa service account by specifying its ID. In the subject type, specify serviceAccount:

    yc resource-manager cloud add-access-binding my-cloud \
  --role editor \
  --subject serviceAccount:<service account ID>

  1. Find out the ID of the test-sa service account that you want to assign the role to. To do this, get a list of available service accounts:

    curl -H "Authorization: Bearer <IAM-TOKEN>" \
    https://iam.api.cloud.yandex.net/iam/v1/serviceAccounts?folderId=b1gvmob95yysaplct532

    Result:

    {
 "serviceAccounts": [
  {
   "id": "ajebqtreob2dpblin8pe",
   "folderId": "b1gvmob95yysaplct532",
   "createdAt": "2018-10-18T13:42:40Z",
   "name": "test-sa",
   "description": "test-description"
  }
 ]
}

  2. Assign the editor role for the my-cloud cloud to the test-sa service account. In the subject property, specify the serviceAccount type and the test-sa ID. In the request URL, specify the my-cloud ID:

curl -X POST \
    -H 'Content-Type: application/json' \
    -H "Authorization: Bearer <IAM-TOKEN>" \
    -d '{
    "accessBindingDeltas": [{
        "action": "ADD",
        "accessBinding": {
            "roleId": "editor",
            "subject": {
                "id": "<service account ID>",
                "type": "serviceAccount"
    }}}]}' \
    https://resource-manager.api.cloud.yandex.net/resource-manager/v1/clouds/b1gg8sgd16g7qca5onqs:updateAccessBindings

  1. Assign the editor role to a service account.

    data "yandex_resourcemanager_cloud" "project1" {
  name = "Project 1"
}

resource "yandex_resourcemanager_cloud_iam_binding" "editor" {
  cloud_id = "${data.yandex_resourcemanager_cloud.project1.id}"
  role = "editor"
  members = [
    "serviceAccount:<service account ID>",
  ]
}

  2. In the command line, go to the directory where you created the configuration file.

  3. Make sure the configuration file is correct using the command:

    terraform validate

    If the configuration is correct, the following message is returned:

    Success! The configuration is valid.

  4. Run the command:

    terraform plan

    The terminal displays a list of resources to be created and their parameters. No changes are made at this step. If there are errors in the configuration, Terraform points them out.

  5. Apply the configuration changes:

    terraform apply

  6. Confirm the changes: type yes in the terminal and press Enter.

    After that access rights are granted for the cloud.

Access to a resource for all users

You can grant public access to a resource. To do this, assign a role to the system group allAuthenticatedUsers or allUsers.

You can assign any role to the system group, except resource-manager.clouds.owner and resource-manager.clouds.member.

Alert

Do not assign a system group the editor or admin role for a catalog or cloud. Otherwise, anyone who knows the folder ID can use Yandex Cloud at your expense.

For instance, allow any authenticated user to view information about the my-cloud cloud and its resources:

Assign the viewer role to the allAuthenticatedUsers system group. In the subject type, specify system:

yc resource-manager cloud add-access-binding my-cloud \
  --role viewer \
  --subject system:allAuthenticatedUsers

Assign the viewer role to the allAuthenticatedUsers system group. In the subject property, specify the system type:

curl -X POST \
    -H 'Content-Type: application/json' \
    -H "Authorization: Bearer <IAM-TOKEN>" \
    -d '{
    "accessBindingDeltas": [{
        "action": "ADD",
        "accessBinding": {
            "roleId": "viewer",
            "subject": {
                "id": "allAuthenticatedUsers",
                "type": "system"
    }}}]}' \
    https://resource-manager.api.cloud.yandex.net/resource-manager/v1/clouds/b1gg8sgd16g7qca5onqs:updateAccessBindings

  1. Assign the viewer role to the allAuthenticatedUsers system group.

    data "yandex_resourcemanager_cloud" "project1" {
  name = "Project 1"
}

resource "yandex_resourcemanager_cloud_iam_binding" "viewer" {
  cloud_id = "${data.yandex_resourcemanager_cloud.project1.id}"
  role = "viewer"
  members = [
    "system:allAuthenticatedUsers",
  ]
}

  2. In the command line, go to the directory where you created the configuration file.

  3. Make sure the configuration file is correct using the command:

    terraform validate

    If the configuration is correct, the following message is returned:

    Success! The configuration is valid.

  4. Run the command:

    terraform plan

    The terminal displays a list of resources to be created and their parameters. No changes are made at this step. If there are errors in the configuration, Terraform points them out.

  5. Apply the configuration changes:

    terraform apply

  6. Confirm the changes: type yes in the terminal and press Enter.

    After that access rights are granted for the cloud.

What's next

Language / Region
© 2022 Yandex.Cloud LLC
In this article: